PayPal Asks: What Makes a Safe Browser?
Published May 27th, 2008 12:55 PM EDT By KelsonLast month, eWeek reported that PayPal intends to block unsafe
browsers from accessing their site. They’ve focused on phishing detection and support for Extended Validation SSL Certificates. So what are these features, and why does PayPal think they’re critical? And just which browsers are they likely to block?
Phishing protection has an obvious appeal for a site whose accounts are one of the biggest phishing targets on the web. Opera 9.1 and up, Firefox 2, and Internet Explorer 7 check the websites they visit against lists of known fraudulent sites. These browsers will warn the users before they accidentally type their credentials into a bogus log-in form. While this makes no difference when a user is already on PayPal’s site, it does mean the user is less likely to get his or her password stolen, and thieves are less likely to carry out fraudulent transactions with the account.
Extended Validation or EV certificates are like normal SSL certificates: they encrypt your web activity to prevent eavesdropping. What makes them different is that EV certificates require the issuer to verify the site owner more thoroughly. Browsers with EV support will display an indication that the site has been verified, usually by turning part or all of the address bar green. This is intended to give the user greater confidence that the site is legit. EV certificates are currently supported by IE7 and development versions of Opera 9.50 and Firefox 3. (You can preview a version of Opera with EV support by downloading Opera 9.50 beta 2.)
(It’s worth noting that Opera 9.50 beta 2 is stricter about verifying EV certificates, and will not show PayPal with a green bar because it loads images and scripts from another site. More recent preview releases will, like IE7 and Firefox 3, be satisfied if the main page is EV and the resources are all protected by regular SSL.)
So which browsers might get turned away at the gate?
In a follow-up story, PayPal clarified that they have absolutely no intention of blocking current versions of any browsers
, and that they would only block obsolete browsers on outdated or unsupported operating systems.
So an Opera 9 user on Windows XP isn’t likely to get shut out of PayPal anytime soon. But a Windows 98 user might have cause for concern.
Browser detection is extremely tricky to get right, requiring frequent adjustments. It looks like PayPal intends to take the minimalist approach: Assume most browsers are capable of handling what you send them, and only block the problematic ones.
If you enjoyed this post, then make sure you subscribe to my RSS Feed.
using
I noticed this on the BBC on the 18th of April, and have since only used PayPal on this computer (486 DX, running FreeBSD/Opera 8.5 - no flash/java), except once when I used BeOS 4.5 with NetPossitive. Just to make a point that some of us want to use older machines, and that they could end up turning customers away.
I love old computers, and do not see why they should be made unusable. Technology is precious, and should not be discarded. I tend to use the 486 as my main surfing machine, and the Core 2 Duo with Linux for the odd flash site. I would argue that my older machines are as safe as any new machine, it is mainly the user that creates the risks. Friends of mine only managed 2 days with there new Windows computer before obtainig adds that pop up when connecting to the net.
I also hate the way that e-bay gives you this message when you use Opera 8 or ealier:
“Message from eBay
To effectively use eBay, we recommend upgrading your Web browser. Benefits of upgrading include the use of the latest security updates and support of interactive Web features.”
Having used e-bay on newer browsers, I can detect no advantage over Opera 8.
I recently decided to try the anti fraud feature on Opera 9.27, after a few hours I found an Eastern European download site that brought up a big warning message. On one level I was impressed, but then I would never seek put such a site…..
using
I agree with you Steve. Besides, I’d be willing to bet that most of the general public that have access to the Internet are not using the “latest and greatest”.
I know many people/families who have had the same computer for 7-8 years easily and are content with it until it no longer works. Some of these computers are running early Windows builds such as 98 and 2000 that, while a lot of people love them, are far behind by today’s standards and could easily be targeted for exclusion.
I think we the public should send a message to companies such as eBay to support graceful degradation.
using
Well… computer nostalgia is one thing. But it isn’t unreasonable for a banking site to require a modern web browser…
using
I use PayPal every time and haven’t experienced any difficulty .
using
David Naylor May 27th, 2008 at 4:49 pm
“Well… computer nostalgia is one thing. But it isn’t unreasonable for a banking site to require a modern web browser…”
Is it reasonable to discard perfectly working machines, which are often better built than current models? Most of the time, the new superior products are being pushed just to feed the software / hardware suppliers mutal benifit in change, with the consumers just being there to pay?
Last week I was sat on the train and the bloke next to me was hunched over a new laptop playing with Microsoft Dynamics V4, with the help of the instruction manual. I got chatting to him, and he said that he was trying to work out how to use version 4, having only just mastered V3.5 it had all changed.
using
@Kyle: While I don’t doubt there are plenty of aging machines out there, there is a difference between “modern” and “latest and greatest.” If you’re only looking at Vista and Leopard on the latest hardware, the numbers are going to be small, but if you include other releases that still have vendor support, like Windows XP, the numbers widen considerably.
I’ll have to check some global stats, but my own site is seeing 70% WinXP and 14% Vista on OS, and 36% IE7, 27% Firefox 2, and 25% IE6 on browsers. (Sadly, AWStats doesn’t break down Opera, Safari or Mac OSX versions.) Only 4% are on older versions of Windows, less than half a percent on older versions of IE, and less than 1% on older versions of Firefox.
That’s more than 84% on a modern OS, and more than 63% on a modern browser (I can’t bring myself to include IE6), even before factoring in Opera, Safari, Mac OS, or Linux.
@Jezetha: Last I heard, PayPal hadn’t actually started blocking browsers yet, just talking about it. Even so, Opera 9.2 on WinXP fits their current criteria for “acceptable” and then some.
using
well my bank here in venezuela didnt work with opera. when i typed the address it showed nothing, blank, not even the page’s title. now i changed the site prefs in opera so the bank identifies this browser as frirefox instead of opera and everythings working great now.
using
Kelson
May 27th, 2008 at 6:01 pm
“If you’re only looking at Vista and Leopard on the latest hardware, the numbers are going to be small, but if you include other releases that still have vendor support, like Windows XP, the numbers widen considerably.”
XP is only supported for another 32 days 18 hours and 16 min (from savexp dot com). Will this mean many more viable machines ending up down the tip?
using
Not exactly. XP is only available through the end of June. It will still receive “mainstream” (i.e. full) support through April 2009, with extended support (including security fixes) through 2014. (Source: Microsoft Product Lifecycle Search)
You only have a month to buy a new copy of Windows XP, but existing computers will have 6 years before Microsoft stops shipping security updates.
using
Sounds like a good idea to me. I have no idea how many fake pay pal emails I’ve had.
I Just wish they would block Ie to start an avalanche of browser migrations
using
Sorry Kelson got the wrong word - brain hardly funtioning 05.30Hrs UK time, and still half asleep.
I was thinking that its very much like cars, soon as a model is dicontinued their value drops, suddenly they become much less desirable - even tough you can still get spare parts (might not be the same in the States with different versions most years).
using
@Steve Barker, I think you are confused. They aren’t saying old hardware, they are saying old software. Which I can understand, seeing as most ‘old’ operating systems and web browsers have poor security.
using
Sofar been using Paypal with Opera Mini 3 and 4 versions Since without any kind of difficulties
using
I can see it happening: “Hey, look. I’ve found this site that *does* allow me to do PayPal transfers!”
Uh-huh…
using
Joeri:
Indeed, I thought the same when I read the news.
User education would be much more effective than blocking IE6 or whatever PayPal is planning.
using
Sounds like a good idea to me. I have no idea how many fake pay pal emails I’ve had.